I have had issues using these methods with some programs that I've attempted to sheild from AV. On occassion I've found that I've needed to extend .text section(s) inside of the binaries using lordpe for programs like gsecdump in order to get scramblers or encoders to work well.
On Wed, May 19, 2010 at 9:20 AM, xgermx <[email protected]> wrote: > I get most things through A/V the same way (be it nc or fgdump). > I split the executable in half and scan each piece with the A/V. I > discard the piece that passes and focus on the piece that gets > flagged. I then split that piece in half and repeat the process. I do > this multiple times until I'm left with a small amount of code > responsible for triggering the A/V. I then use a hex editor on the > original executable to make very small modifications to that specific > block of code. Usually it only takes a few character changes for the > A/V not to recognize it anymore. This, in combination with editing the > PE (I second PE scrambler) rarely fails me. > > > On Wed, May 19, 2010 at 1:07 AM, Ali Alhebshi <[email protected]> > wrote: > > Has anyone succeeded in getting fgdump past AV systems? > > > > On Mon, May 17, 2010 at 4:04 PM, bytes abit <[email protected]> wrote: > >> > >> Also, as a side note.. perhaps if you want to keep ncat on the system > you > >> could use the "Copy CON" techniques discussed in PDC... > >> Can't remember the episode, think it was in the 160-170 range... > >> > >> > >> > >> On Mon, May 17, 2010 at 8:35 AM, Jim Halfpenny <[email protected] > > > >> wrote: > >>> > >>> Hi, > >>> Busybox provides netcat functionality plus lots more with a small > >>> footprint. I have not come across any AV software which detects > >>> busybox as a potentially unwanted program. > >>> > >>> Regards, > >>> Jim > >>> > >>> On 16 May 2010 17:49, Chris Teodorski <[email protected]> > wrote: > >>> > Thanks to all for the great advice. I was using NetCat, because I'm > >>> > putting it on a Teensy++ and I'm very limited in space. The > >>> > executable needs to be super small... > >>> > > >>> > I followed the article here: > >>> > http://packetstormsecurity.nl/papers/virus/Taking_Back_Netcat.pdf > >>> > > >>> > It seems to have worked. > >>> > > >>> > Thanks to all for the help. > >>> > > >>> > > >>> > > >>> > On Sat, May 15, 2010 at 2:15 PM, Rob Fuller <[email protected]> > wrote: > >>> >> Just curious, by why are you using Netcat? > >>> >> > >>> >> > >>> >> -- > >>> >> Rob Fuller | Mubix > >>> >> Room362.com | Hak5.org | TheAcademyPro.com > >>> >> Ignore this: > >>> >> x5o...@ap > [4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* > >>> >> > >>> >> > >>> >> > >>> >> On Sat, May 15, 2010 at 1:02 PM, Professor Thread > >>> >> <[email protected]> wrote: > >>> >>> > >>> >>> On 05/15/2010 03:08 PM, Chris Teodorski wrote: > >>> >>> > >>> >>> All, > >>> >>> > >>> >>> Does anyone know a good way to sneak netcat past modern AV? > >>> >>> > >>> >>> Chris > >>> >>> > >>> >>> > >>> >>> > >>> >>> Have you tried nmap's "ncat" version? > >>> >>> > >>> >>> > >>> >>> > >>> >>> _______________________________________________ > >>> >>> Pauldotcom mailing list > >>> >>> [email protected] > >>> >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >>> >>> Main Web Site: http://pauldotcom.com > >>> >> > >>> >> > >>> >> _______________________________________________ > >>> >> Pauldotcom mailing list > >>> >> [email protected] > >>> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >>> >> Main Web Site: http://pauldotcom.com > >>> >> > >>> > _______________________________________________ > >>> > Pauldotcom mailing list > >>> > [email protected] > >>> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >>> > Main Web Site: http://pauldotcom.com > >>> > > >>> _______________________________________________ > >>> Pauldotcom mailing list > >>> [email protected] > >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >>> Main Web Site: http://pauldotcom.com > >> > >> > >> _______________________________________________ > >> Pauldotcom mailing list > >> [email protected] > >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >> Main Web Site: http://pauldotcom.com > > > > > > > > -- > > Ali Al-Hebshi > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
